Configuring Generic HEC

Admins
Home / Admins / Log Pipeline / Configuring Generic HEC

Configuring Generic HEC

Before you begin:
Please review our Log Pipeline documentation about Log Destinations if you have not already.

The Generic HTTP Event Collector (HEC) allows you to easily stream logs from Kolide directly to an HTTP endpoint for further processing and storage.

This log destination type is modeled after HTTP Event Collectors available in various log aggregation services. To get an idea how we generally expect an HEC to behave, we suggest reading through Splunk’s documentation on HECs.

Prerequisites

To configure a generic HEC Log Destination, you’ll need a publicly accessible HTTP endpoint that:

  • accepts HTTP POST requests with JSON data in the body of the request
  • Supports authorization based on an HTTP Authorization header and a shared secret

How to Configure a generic HEC Log Destination

From the Log Destinations list view:

  1. Click Add New Destination
  2. Click Generic HEC

In the configuration modal that appears:

  1. Provide a Display Name for your HEC. This will help you differentiate it from your other configured log destinations.

  2. Provide an Integration Name. This should be the name of the service providing the HTTP endpoint (e.g. )

  3. Provide the URL endpoint for your HEC.

  4. Provide the secret token for your HEC

  5. If your HEC endpoint expects an Authorization prefix other than Bearer, enter it here

  6. Select the log types this Log Destination should receive

  7. Click Save

Once you click Save, Kolide will send a test event to your Generic instance. The event should look like this:

{
  "key":"<INTEGRATION NAME OR DISPLAY NAME>_kolide_testing",
  "ts":1723751668,
  "type":"log_destination_test"
}

If your HEC instance does not respond successfully, you will see an error message informing you of the failure.